MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a23bbff9bc47c486445ae23c77569ae7d2d026532dda717dd6a97069562f5bac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a23bbff9bc47c486445ae23c77569ae7d2d026532dda717dd6a97069562f5bac
SHA3-384 hash: 839bec9639b0c7e2c11627ff7232d4d580c9ff2c114790ba3089b52218253146c0092a5ac79e15248cd36e655278d8b9
SHA1 hash: 026af1ba4eeb45b03676461aed24171e0beb239d
MD5 hash: 890937bd623473b8a8d7be78cef306c8
humanhash: iowa-nineteen-mirror-uranus
File name:890937bd623473b8a8d7be78cef306c8.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'217'448 bytes
First seen:2022-01-02 07:47:49 UTC
Last seen:2022-01-02 09:34:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 43ebd164867e0481f2f3baae2a7cf5a5 (2 x RedLineStealer, 2 x CoinMiner)
ssdeep 98304:F1DWM1IN7t8wDy/AL9+UpBHqCy350iF4bi/kawOfv60cbykEzn6o/WkGsISgU1UL:F1D51E8VYZlnKCu50iF1SbyTz6o+kGs+
Threatray 6 similar samples on MalwareBazaar
TLSH T1BE562363137100B5E6DACC355637FDA571F207B58B42ACB9889BA8C136228F5F722B53
File icon (PE):PE icon
dhash icon ac4a42185b69b254 (1 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
890937bd623473b8a8d7be78cef306c8.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-02 07:49:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d1c2268-6433-4e0e-9a08-9320c877a2a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217070/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47761641.4411.22704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Launching a process
Running batch commands
Forced shutdown of a system process
Downloading the file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3677/overview
Behaviour
MalwareBazaar
AntidebugCommonApi
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d158bbec6c6c14a904fe1e/reports/0eb2d60d-d0a5-4a80-89bb-fa9060ca8cfb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d87ad631-3a0a-4b04-915d-d170faaff1d6
Result
Threat name:
BitCoin Miner SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914598
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Powershell drops PE file
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547076 Sample: ja2SLqZHo5.exe Startdate: 02/01/2022 Architecture: WINDOWS Score: 100 75 Antivirus detection for URL or domain 2->75 77 Sigma detected: Powershell download and execute file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 7 other signatures 2->81 14 ja2SLqZHo5.exe 2->14         started        process3 signatures4 107 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->107 109 Writes to foreign memory regions 14->109 111 Allocates memory in foreign processes 14->111 113 3 other signatures 14->113 17 AppLaunch.exe 14->17         started        19 AppLaunch.exe 14->19         started        process5 process6 21 cmd.exe 1 17->21         started        signatures7 83 Suspicious powershell command line found 21->83 85 Tries to download and execute files (via powershell) 21->85 24 powershell.exe 14 21->24         started        26 powershell.exe 15 17 21->26         started        31 conhost.exe 21->31         started        process8 dnsIp9 33 joker.exe 24->33         started        65 tjersy.ru 81.177.140.53, 443, 49766 RTCOMM-ASRU Russian Federation 26->65 63 C:\Users\user\AppData\Roaming\joker.exe, PE32+ 26->63 dropped 97 Powershell drops PE file 26->97 file10 signatures11 process12 signatures13 67 Antivirus detection for dropped file 33->67 69 Multi AV Scanner detection for dropped file 33->69 71 Detected unpacking (changes PE section rights) 33->71 73 5 other signatures 33->73 36 conhost.exe 4 33->36         started        process14 file15 59 C:\Users\user\AppData\...\services32.exe, PE32+ 36->59 dropped 39 cmd.exe 1 36->39         started        41 cmd.exe 1 36->41         started        process16 signatures17 44 services32.exe 39->44         started        47 conhost.exe 39->47         started        95 Uses schtasks.exe or at.exe to add and modify task schedules 41->95 49 conhost.exe 41->49         started        51 schtasks.exe 1 41->51         started        process18 signatures19 99 Antivirus detection for dropped file 44->99 101 Multi AV Scanner detection for dropped file 44->101 103 Detected unpacking (changes PE section rights) 44->103 105 5 other signatures 44->105 53 conhost.exe 5 44->53         started        process20 file21 61 C:\Users\user\AppData\...\sihost32.exe, PE32+ 53->61 dropped 56 sihost32.exe 53->56         started        process22 signatures23 87 Multi AV Scanner detection for dropped file 56->87 89 Writes to foreign memory regions 56->89 91 Allocates memory in foreign processes 56->91 93 Creates a thread in another existing process (thread injection) 56->93
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a23bbff9bc47c486445ae23c77569ae7d2d026532dda717dd6a97069562f5bac/
Threat name:
Win32.Trojan.Nitol
Create hunting rule
Status:
Malicious
First seen:
2021-12-28 17:38:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 43 (55.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
CoinMiner
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
CoinMiner
7322227e60086a497e66c0a6c5568dc138e81efc34e0d3a0ab5a2015b73afdaa
CoinMiner
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
vmprotect
Link:
https://tria.ge/reports/220102-jm5rdsggcj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Malware Config
Dropper Extraction:
https://tjersy.ru/joker.exe
Unpacked files
SH256 hash:
557e1e0f7fc3b25b194221105954dd2a6f4225f333a9d0beea5e80cf94e59c0f
MD5 hash:
ab41f30d4be9c6cedd0acbf20b54b7f1
SHA1 hash:
000d2fedb20e4d3907113f77bf928db58025e56d
Link:
https://www.unpac.me/results/f6daa556-b160-41c0-b600-99346500c621/
SH256 hash:
07e39a058fa617c6b6bf21fe183ad33ec71fa932173249216e65ceeef462e27e
MD5 hash:
9d33ad90a3abd73745b3f0c3e218fca2
SHA1 hash:
af4a7538063e4e10a21fe1ec616c3e9b2193d850
Link:
https://www.unpac.me/results/f6daa556-b160-41c0-b600-99346500c621/
SH256 hash:
a23bbff9bc47c486445ae23c77569ae7d2d026532dda717dd6a97069562f5bac
MD5 hash:
890937bd623473b8a8d7be78cef306c8
SHA1 hash:
026af1ba4eeb45b03676461aed24171e0beb239d
Link:
https://www.unpac.me/results/f6daa556-b160-41c0-b600-99346500c621/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a23bbff9bc47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/a23bbff9bc47c486445ae23c77569ae7d2d026532dda717dd6a97069562f5bac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_KB_CERT_03e9eb4dff67d4f9a554a422d5ed86f3
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a23bbff9bc47c486445ae23c77569ae7d2d026532dda717dd6a97069562f5bac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1941617/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217070/

Comments